Public/private communications paths

ABSTRACT

Access to transactional multimedia content may be based on network routing. Some multimedia content may be best delivered via a private network. Other multimedia content may be best delivered via a public network. A type of the multimedia content may thus determine network routing.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/516,315 filed Jul. 19, 2019, which is a continuation of U.S.application Ser. No. 15/136,884 filed Apr. 23, 2016 (now U.S. Pat. No.10,412,133), which is a continuation of U.S. application Ser. No.12/618,207 filed Nov. 13, 2009 (now U.S. Pat. No. 9,325,502). Allsections of the aforementioned applications and patents are incorporatedherein by reference in their entirety.

BACKGROUND Field of the Disclosure

The present disclosure relates to providing multimedia content and, moreparticularly, to identity management for users of transactionalmultimedia content.

Description of the Related Art

Multimedia content distribution networks (MCDNs) often provide a fullarray of multimedia content to customers over private networks usingMCDN-issued customer premises equipment (CPE). Some potential customerswishing to receive all or part of the full array of multimedia contentdo not have direct physical access to an MCDN's private network or donot have MCDN-issued CPE.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of selected elements of an embodiment of anMCDN;

FIG. 2 is a block diagram of selected elements of an embodiment of anMCDN;

FIG. 3 is a block diagram of selected elements of an embodiment of anMCDN;

FIG. 4 is an embodiment of a method for providing a user withtransactional content in response to determining that the user is anauthorized user; and

FIG. 5 illustrates a multimedia handling device (MHD) for requesting andreceiving transactional content in accordance with disclosedembodiments.

DESCRIPTION OF EXEMPLARY EMBODIMENTS

In one aspect, a device for accessing specified multimedia content(e.g., on-demand content) includes a first network interface forcommunicating with a multimedia content provider over an Internetprotocol (IP) network. The device may be a CPE such as a set-top box(STB) or other multimedia processing resource (MPR). The device containsa computer readable medium with embedded instructions for communicatingfrom the first network interface a certificate with a hardwareauthentication code over the IP network to a network server to verifythat the apparatus is authorized to access the specified content. Thehardware authentication code (e.g., an X509 certificate) may be uniquelyindicative of the device and may be associated with the device in asubstantially permanent way. Further instructions embedded in thecomputer readable medium are for communicating a request to access thespecified content to the network server and for processing the specifiedcontent for presentation to a display device.

In certain embodiments, the device contains a second network interfacefor receiving the specified content over the IP network. The firstand/or the second network interface may be enabled for wiredcommunication, wireless communication, satellite communication, andcombinations thereof. The specified content may be streamed to thedevice or otherwise downloaded for later play.

In a further aspect, a disclosed method is for providing access totransactional multimedia content (e.g., video on-demand (VOD) content)and live multimedia content. The method includes determining whether theclient is associated with a first service level or a second servicelevel. If the client is associated with the second service level, theclient device is directed to a second level transactional multimediacontent server. The method includes receiving a certificate indicativeof a hardware authentication code from the client device, comparing thehardware authentication code to a plurality of authorized codes, andgranting the client device access to the transactional multimediacontent responsive to the hardware authentication code corresponding toone or more of the plurality of authorized codes. Access may be providedover a public IP network (e.g., the Internet). Determining whether theuser is associated with the first service level or second service levelmay be determined at least in part by the quality of the communicationpath between the client device and a portion of an MCDN.

In some embodiments, granting access to the specified transactionalcontent includes enabling the client device to download the specifiedtransactional multimedia content for later viewing. Granting access mayalso include streaming the specified transactional multimedia content tothe client device. The certificate indicative of the hardwareauthentication code may be received by a bootstrap server and may bereceived from a public IP network such as the Internet. Alternatively,the hardware authentication code may be from a private network such as acellular network or other private IP network.

Multimedia content (e.g., a television program) is provided to users byservice providers that provide access to the content over privatenetworks, for example. Such private networks may for example, includesatellite networks, fiber optic networks, coaxial networks or acombination of such networks. The service provider may issue CPE such asan STB to enable users to access specified transactional multimediacontent over a private network. When a user wishes to obtain certaintransactional multimedia content, the STB or other CPE issued by theservice provider may authenticate with the service provider network andallow the user access to the specified or requested multimedia content.

In some cases, it is impractical to offer full-fledged service to allpotential users within a service provider's footprint. For example,there may be a small percentage of potential users that live outside thebounds of what is deemed a practical service area for provisioning aservice provider's private network. In such cases, the service providermay provide a limited set of content to users over public networks, suchas by providing transactional multimedia content to users over theInternet. Access to the transactional multimedia content may be throughhardware (e.g., an STB) issued to the user by the service provider ormay be by other hardware such as a personal computer, smartphone,television, or other MHD. In some disclosed embodiments, a serviceprovider may authenticate the user's identity by a hardwareauthentication code associated with the hardware and presented to theservice provider as a certificate.

If an untrusted network such as the Internet is used to transport thetransactional content by the service provider, disclosed systems maytake steps to authenticate the identity of the user and prevent hackingby those that may wish to emulate the user or do harm to the serviceprovider network. For example, steps may be taken to prevent IP spoofingand recognize and reject bogus session requests.

In operation, when requesting multimedia content, a client deviceapplication may connect to a bootstrap server that receives a clientrequest and selects an appropriate server for handling the clientrequest. For example, based on a received certificate it may bedetermined the client device is associated with a first level serviceand the client will be directed by the bootstraps server to anappropriate server for receiving a full array of multimedia content;alternatively, if the bootstrap server, based on a received certificatethat includes a hardware authentication code, determines that a clientdevice is entitled to a second service level, the client device may bedirected to a server for sending transactional content over a public IPnetwork.

In some disclosed embodiments, a certificate authority provides each CPEdevice that accesses multimedia content from the service provider with aunique certificate that can include a unique device identificationembedded within it to use during authentication. For serviceprovider-issued CPE such as STBs that entitle a user to a first servicelevel, the CPE can access a first server to gain access to a full arrayof multimedia content including the specified transactional content(e.g., VOD movies). In other cases, such as when a client device (e.g.,personal computer) running a Web browser application requeststransactional content (e.g., a VOD movie) from the service provider, theservice provider may direct the Web browser to a second server thatprovides a second service level including, for example, specifiedtransactional content (e.g., VOD movies) only if the web browserapplication presents a valid certificate that includes an indication ofa hardware identification code unique to the client device andassociated with a user account authorized to receive the specifiedcontent.

In some embodiments, a certifying authority issues certificates for usewith the client devices when attempting to access transactional contentfrom the service provider. In some embodiments, assets within a serviceprovider maintain a certificate to user account mapping for clientdevice authentication and web application authentication.

Upon receiving a certificate from a client device, a determination canbe made by a bootstrap server or other such device whether a user isentitled to a first service level or second service level. In someembodiments, an authentication server, responsive to receiving acertificate associated with a second level service, directs a sessionrequest to a second level server that provides access to transactionalmultimedia content associated with a second service level. If theauthentication server receives from the client device with the request acertificate associated with a first service level, the authenticationserver directs the client device to a first level server. Such exemplarysystems operate to provide one or more of a plurality of levels ofservice to users based on a permission level for each user, where thepermission levels are associated with hardware associated with the user.The hardware may be issued by the service provider or may be networkagnostic such as a personal computer, smart phone, or other suchequipment. In the following description, details are set forth by way ofexample to facilitate discussion of the disclosed subject matter. Itshould be apparent to a person of ordinary skill in the art, however,that the disclosed embodiments are exemplary and not exhaustive of allpossible embodiments.

FIG. 1 is a block diagram of a particular illustrative embodiment ofsystem 100 used for presenting transactional multimedia content to usersthat may not be entitled to receive a full array of multimedia contentavailable to other users. System 100 includes live content source 102that communicates with CPE 104 (which may include, for example, an STBdevice) via network 106. Live content source 102 includes a memory tostore live content 114. CPE 104 can receive input from remote controldevice 110 and can communicate audio and video to display device 112. Inparticular embodiments, network 106 may be a public network, such as theInternet, or a private access network, such as an MCDN.

As shown, CPE 104 can communicate with transactional content source 108via network 106. Transactional content source 108 includes transactionalcontent 116, which may be specified for download or streaming by a userof CPE 104. Server system 118 provides both live content 114 andtransactional content 116 to CPE 104, depending on what service levelCPE 104 is entitled to receive.

In illustrative embodiments, provider server 122 receives a request forspecified transactional content (e.g., a VOD movie) over network 106from CPE 104. Provider server 122 may function as a bootstrap server anddetermine, based on a certificate associated with a received request,which content source within server system 118 is the proper source forthe specified content. If the received request indicates that CPE 104 isassociated with a first service level that includes live multimediacontent, provider server 122 may direct CPE 104 to live content source102 to access live content 114. If CPE 104 is associated with a secondservice level that includes transactional content 116 (e.g., a VODmovie), provider server 122 in an exemplary embodiment directs CPE 104to transactional content source 108 for access to transactional content116.

Provider server 122 can determine which service level CPE 104 isentitled to receive based on a received certificate associated with CPE104 that contains an indication of hardware authentication code 120. Bycomparing the received hardware authentication code to a plurality ofauthorized codes, a determination is made which of a plurality ofservices to provide the user.

Server system 118 can identify the multimedia content to be received atCPE 104 based on the request and based on whether the certificatereceived by provider server 122 includes an authorized hardware code. Toenable a user to select or specify transactional content for download orstreaming, server system 118 (or transactional content source 108) cangenerate an electronic storefront that includes selectable indicatorsrelated to assets selected from transactional content 116. In certainembodiments, transactional content 116 include assets such as digitalwallpaper, movie images, actor images, ring tones, audio clips frommedia content, downloadable soundtracks, video on demand content,soundtrack clips, or any combination thereof. In general, each of theassets may have different associated access rights. For example, a ringtone electronic asset may allow unrestricted use of the ring tone afterpurchase, while a VOD movie download may allow either a limited numberof viewings or unlimited access for a limited period of time, forexample.

In an illustrative embodiment, server system 118 generates an electronicstorefront including a graphical user interface (GUI). The GUI includesmultiple selectable indicators related to available multimedia contentthat may be received at CPE 104.

In some embodiments, the GUI may include information describing selectedtransactional content 116 or describing a plurality of purchase optionsrelated to the selected assets. The information may be personalized to auser or subscriber of CPE 104. In another particular embodiment, theinformation describing the asset or the information describing theplurality of purchase options may be personalized to an accountassociated with CPE 104.

In an illustrative embodiment, CPE 104 may receive data that can beexecuted by a processor to generate a GUI, which may be provided todisplay device 112. The GUI can include multiple purchasable multimediaassets of different types and multiple related purchase options. CPE 104may receive an input related to one or more of the multiple purchasableassets and an associated purchase option via remote control device 110.Accordingly, CPE 104 can send a request to server system 118 that isrelated to the input.

FIG. 2 is a block diagram of an illustrative embodiment of MCDN system200 that may be used to provide multimedia content includingtransactional content to users according to permission levels associatedwith hardware identification codes for client devices that request themultimedia content. Although multimedia content is not limited to TV,VOD, or pay-per-view (PPV) programs, the depicted embodiments of MCDNsystem 200 and its capabilities are primarily described herein withreference to these types of multimedia content, which may beinterchangeably referred to herein as “multimedia content”, “multimediacontent programs”, “multimedia programs” or, simply, “programs.”

The elements of MCDN system 200 illustrated in FIG. 2 depict networkembodiments with functionality for delivering multimedia content to aset of one or more users. It is noted that different embodiments of MCDNsystem 200 may include additional elements or systems (not shown in FIG.2 for clarity) as desired for additional functionality, such as dataprocessing systems for billing, content management, customer support,operational support, or other business applications. It is further notedthat elements of system 200 may be included within the analogouselements of system 100 illustrated in FIG. 1.

As shown, system 200 can include client-facing tier 202, applicationtier 204, acquisition tier 206, and operations and management tier 208.Each tier 202, 204, 206, 208 is coupled to private network 210; topublic network 212, such as the Internet; or to both private network 210and public network 212. For example, client-facing tier 202 can becoupled to the private network 210. Further, application tier 204 can becoupled to private network 210 and to public network 212. Acquisitiontier 206 can also be coupled to private network 210 and to publicnetwork 212. Additionally, operations and management tier 208 can becoupled to public network 212.

As illustrated in FIG. 2, the various tiers 202, 204, 206, 208communicate with each other via private network 210 and the publicnetwork 212. For instance, client-facing tier 202 can communicate withapplication tier 204 and acquisition tier 206 via private network 210.Application tier 204 can communicate with acquisition tier 206 viaprivate network 210. Further, application tier 204 can communicate withacquisition tier 206 and operations and management tier 208 via publicnetwork 212. Moreover, acquisition tier 206 can communicate withoperations and management tier 208 via public network 212. In aparticular embodiment, elements of application tier 204, including, butnot limited to, client gateway 250, can communicate directly withclient-facing tier 202.

Client-facing tier 202 can communicate with user equipment via accessnetwork 266. In an illustrative embodiment, CPE clients 214, 222 can becoupled to a local switch, router, or other device of the access network266. Client-facing tier 202 may communicate with a first representativeSTB device via first CPE client 214 and with a second representative STBdevice via second CPE client 222 (STB devices not explicitly shown inFIG. 2). In a particular embodiment, first CPE client 214 can be locatedat a first customer premise, and second CPE client 222 can be located ata second customer premise. In another particular embodiment, the firstrepresentative STB device and the second representative STB device canbe located at a single customer premise, both coupled to one of CPEclients 214, 222. CPE clients 214, 222 can include routers, local areanetwork (LAN) devices, modems, such as digital subscriber line (DSL)modems, any other suitable devices for facilitating communicationbetween an STB device and access network 266, or any combinationthereof.

In an exemplary embodiment, client-facing tier 202 can be coupled to CPEclients 214, 222 via fiber optic cables. In another exemplaryembodiment, CPE clients 214, 222 can include DSL modems that are coupledto one or more network nodes via twisted pairs, and client-facing tier202 can be coupled to the network nodes via fiber-optic cables. CPEclients 214, 222 may be configured to process data received via accessnetwork 266, such as multimedia content provided by elements of MCDNsystem 200.

CPE clients 214, 222 can include MCDN STB devices; video gaming devicesor consoles that are adapted to receive MCDN content; personal computersor other computing devices that are adapted to emulate STB devicefunctionalities; any other device adapted to receive MCDN content andtransmit data to an MCDN system via an access network; or anycombination thereof.

In an exemplary, non-limiting embodiment, CPE clients 214, 222 canreceive data, video, or any combination thereof, from client-facing tier202 via access network 266 and render or display the data, video, or anycombination thereof, at a display device, to which it is coupled. In anillustrative embodiment, CPE clients 214, 222 can include tuners thatreceive and decode television programming signals or packet streams fortransmission to display devices, such as TV monitors. Further, CPEclients 214, 222 may include a processor and a memory device (not shownin FIG. 2) that is accessible to the processor. In one embodiment, thememory device may store executable instructions, such as embodied by acomputer program.

In an illustrative embodiment, client-facing tier 202 may include ameans for communicating between client-facing tier 202 and accessnetwork 266 and between client-facing tier 202 and private network 210.In one example, the communication means in client-facing tier 202 may bea network switch or sub-system (not shown in FIG. 2) that is coupled toone or more data servers, such as D-servers 232, that store, format,encode, replicate, or otherwise manipulate or prepare video content forcommunication from client-facing tier 202 to CPE clients 214, 222. Thecommunication means in client-facing tier 202 can also be coupled toterminal server 234 that provides terminal devices with a point ofconnection to MCDN system 200 via client-facing tier 202. In aparticular embodiment, communication means in client-facing tier 202 canbe coupled to VOD server 236 that stores or provides VOD contentimported by MCDN system 200. Further, the communication means inclient-facing tier 202 may be coupled to one or more video servers 280that receive video content and transmit the content to CPE clients 214,222 via access network 266. The communication means in client-facingtier 202 can also be coupled to electronic store server 282 that storesand provides data related to purchasable assets to user devices, such asCPE clients 214, 222.

In an illustrative embodiment, client-facing tier 202 can communicatewith a large number of clients, such as representative CPE clients 214,222, over a wide geographic area, such as a metropolitan area, a viewingarea, a statewide area, a regional area, a nationwide area or any othersuitable geographic area, market area, or subscriber or customer groupthat can be supported by networking client-facing tier 202 to numerousCPE clients. In a particular embodiment, the communication means inclient-facing tier 202, or any portion thereof, can include a multicastrouter or switch that communicates with multiple CPE clients via amulticast-enabled network.

As illustrated in FIG. 2, application tier 204 can communicate with bothprivate network 210 and public network 212. Application tier 204 caninclude a means for communicating that can be coupled to applicationserver 242 and to operations systems and support/billing systems andsupport (OSS/BSS) gateway 244. In a particular embodiment, applicationserver 242 can provide applications to CPE clients 214, 222 via accessnetwork 266, which enable CPE clients 214, 222 to provide functions,such as interactive program guides, video gaming, display, messaging,processing of VOD material and other MCDN multimedia content, etc. In anillustrative embodiment, application server 242 can provide locationinformation to CPE clients 214, 222. In a particular embodiment, OSS/BSSgateway 244 includes OSS data, as well as BSS data. In one embodiment,OSS/BSS gateway 244 can provide or restrict access to OSS/BSS server 264that stores operations and billing systems data.

The means for communicating in application tier 204 can be coupled todomain controller 246 that provides Internet access, for example, tousers at their computers 268 via public network 212. For example, domaincontroller 246 can provide remote Internet access to IPTV accountinformation, e-mail, personalized Internet services, or other onlineservices via public network 212. In addition, the means forcommunicating in application tier 204 can be coupled to subscriber andsystem store 248 that includes account information, such as accountinformation that is associated with users who access MCDN system 200 viaprivate network 210 or public network 212. In an illustrativeembodiment, subscriber and system store 248 can store subscriber orcustomer data and create subscriber or customer profiles that areassociated with IP addresses, stock-keeping unit (SKU) numbers, hardwareidentification codes, other identifiers, or any combination thereof, ofcorresponding CPE clients 214, 222. In another illustrative embodiment,the subscriber and system store can store data associated withcapabilities of STB devices associated with particular customers.

In a particular embodiment, application tier 204 can include clientgateway 250 that communicates data directly to client-facing tier 202.In this embodiment, client gateway 250 can be coupled directly toclient-facing tier 202. Client gateway 250 can provide user access toprivate network 210 and other tiers coupled thereto. In an illustrativeembodiment, CPE clients 214, 222 can access MCDN system 200 via accessnetwork 266, using information received from client gateway 250. Userdevices can access client gateway 250 via access network 266, and clientgateway 250 can allow such devices to access private network 210 oncethe devices are authenticated or verified. Similarly, client gateway 250can prevent unauthorized devices, such as hacker computers or stolen CPEfrom accessing private network 210, by denying access to these devicesbeyond access network 266.

For example, when a first representative CPE client 214 accessesclient-facing tier 202 via access network 266, client gateway 250 canverify subscriber information by communicating with subscriber andsystem store 248 via private network 210. Further, client gateway 250can verify billing information and status by communicating with OSS/BSSgateway 244 via private network 210. In one embodiment, OSS/BSS gateway244 can transmit a query via public network 212 to OSS/BSS server 264.After client gateway 250 confirms subscriber and/or billing information,client gateway 250 can allow CPE client 214 to access MCDN content andVOD content at client-facing tier 202. If client gateway 250 cannotverify subscriber information for CPE client 214, e.g., because it isconnected to an unauthorized twisted pair or has an unauthorizedhardware identification code, client gateway 250 can block transmissionsto and from CPE client 214 beyond access network 266.

In FIG. 2, acquisition tier 206 may include a means for communication(not shown in FIG. 2) with private network 210, that can alsocommunicate with operations and management tier 208 via public network212. In a particular embodiment, the communication means in acquisitiontier 206 can be coupled to live acquisition server 254 that receives oracquires television content, movie content, advertisement content, othervideo content, or any combination thereof, from broadcast service 256,such as a satellite acquisition system or satellite head-end office. Ina particular embodiment, live acquisition server 254 can transmitcontent to the communication means in acquisition tier 206, which cantransmit the content to client-facing tier 202 via private network 210.

In an illustrative embodiment, multimedia content can be transmitted toD-servers 232, where it can be encoded, formatted, stored, replicated,or otherwise manipulated and prepared for communication from videoserver(s) 280 to CPE clients 214, 222. Client-facing tier 202 canreceive content from video server(s) 280 and communicate the content toCPE 214, 222 via access network 266. STB devices can receive the contentvia CPE 214, 222, and can transmit multimedia content to televisionmonitors (not shown in FIG. 2). In an illustrative embodiment, video oraudio portions of the multimedia content can be streamed to CPE clients214, 222.

Further, acquisition tier 206 can be coupled to a VOD importer server258 that receives and stores television or movie content received atacquisition tier 206 and communicates the stored content to VOD server236 at client-facing tier 202 via private network 210. Additionally, atacquisition tier 206, VOD importer server 258 can receive content fromone or more VOD sources outside MCDN system 200, such as movie studiosand programmers of non-live content. VOD importer server 258 cantransmit the VOD content to acquisition tier 206, which can communicatethe material to client-facing tier 202 via private network 210. The VODcontent can be stored at one or more servers, such as VOD server 236.

When users issue requests for VOD content via CPE clients 214, 222, therequests can be transmitted over access network 266 to VOD server 236,via client-facing tier 202. Upon receiving such requests, VOD server 236can retrieve the requested VOD content and transmit the content to CPEclients 214, 222 across access network 266. In an illustrativeembodiment, video or audio portions of VOD content can be streamed toCPE clients 214, 222.

In FIG. 2, operations and management tier 208 can include a means forcommunication (not shown in FIG. 2) that conducts communication betweenoperations and management tier 208 and public network 212. Thecommunication means in operations and management tier 208 may be coupledto TV2 server 262. Additionally, communication means in operations andmanagement tier 208 can be coupled to OSS/BSS server 264 and to simplenetwork management protocol (SNMP) monitor server 286 that monitorsnetwork devices within or coupled to MCDN system 200. In a particularembodiment, the communication means in operations and management tier208 can communicate with acquisition tier 206 via public network 212.

In an illustrative embodiment, live acquisition server 254 can transmitcontent to acquisition tier 206, which can transmit the content tooperations and management tier 208 via public network 212. In thisembodiment, the operations and management tier 208 can transmit thecontent to TV2 server 262 for display to users accessing the userinterface at TV2 server 262. For example, a user can access TV2 server262 using personal computer 268 coupled to public network 212.

In a particular illustrative embodiment, CPE client 214 may receive aninput from the remote control device and transmit a request toclient-facing tier 202 for an electronic storefront. The request mayinclude an identifier related to the selected media content, anidentifier related to CPE client 214, an account identifier associatedwith CPE client 214, an identifier associated with the electronicstorefront, or any combination thereof. In a particular embodiment, inresponse to sending the request and after authentication, CPE client 214may receive a GUI that includes an electronic storefront that hasmultiple purchasable assets and multiple selectable payment options. Inone embodiment, CPE client 214 can receive data that can be executed bya processor to generate a GUI that includes an electronic storefrontthat has multiple purchasable assets and multiple selectable paymentoptions. A user may utilize a remote control device to purchase one ormore assets and to select a payment option related to the purchase. CPEclient 214 may send an asset identifier (e.g., hardware identificationcode) and purchase information to E-store server 282 for fulfillment.

FIG. 3 is a block diagram of an illustrative embodiment of system 300for distributing multimedia content including transactional content(e.g., VOD movies) to users in accordance with disclosed embodiments. Asshown, system 300 includes server system 302 that communicates with STBdevice 304 via network 306, which may include portions of the publicInternet or portions of an MCDN. In addition, server system 302communicates with STB device 304 via network 307, which may include acellular network, private network, or other network for communicationbetween server system 302 and STB 304. Server system 302 includesinterface 316, processing logic 314 and memory 312 that is accessible toprocessing logic 314. As shown, interface 316 communicates with bothnetworks 306 and 307. Communications between server system 302 andnetworks 306 and 307 may be through disparate protocols and media. Forexample, the communications between server system 306 and networks 306and 307 may be any combination of technologies including IP, cellular,wired, wireless, optical, radio, coaxial, and the like.

In a particular embodiment, memory 312 includes media contentidentification module 318 that can be executed by processing logic 314to transmit requested multimedia content to STB device 304. Memory 312may also include electronic store (e-store) module 320 that can beexecuted by processing logic 314 to generate an electronic storefront,including a GUI for a user to specify transactional assets to downloador stream. Memory 312 may also include STB communication module 322 thatcan be executed by processing logic 314 to communicate with STB device304 to receive requests for an electronic storefront related to mediacontent and to communicate the generated electronic storefront to STBdevice 304. In a particular illustrative embodiment, STB communicationmodule 322 receives a certificate from STB device 304 that allows STBcommunication module 322 to authenticate STB device 304. In someembodiments, the certificate is received over network 307 and multimediacontent is delivered to STB device 304 over network 306.

In some illustrative embodiments, STB communication module 322 receivesa certificate from STB device 304 that includes an indication ofhardware identification code 345. STB communication module 322 maydetermine from the certificate whether STB device 304 is entitled toservice. If multiple levels of service are available, STB communicationmodule 322 may determine what service level STB device 304 is entitledto receive. For example, if STB device 304 is only entitled to receive asecond service level that includes only transactional content (e.g.,only VOD movies), then STB communication module 322 may instruct E-storemodule 320 to provide STB device 304 with a GUI including availabletransactional content associated with the second service level.Otherwise, if STB device 304 is authorized to receive a first servicelevel that includes live content, STB communication module 322 mayinstruct E-store module 320 to provide STB device 304 with a GUIincluding available live content associated with the first servicelevel. Accordingly, server system 302 provides access to transactionalcontent and live content according to the service level associated withSTB device 304. Determining which service level is associated with STBdevice 304 may include comparing a certificate received over network 307or network 306 to a list of authorized certificates.

In some embodiments, the service level available to STB device 304 ispredetermined according to, for example, whether a service provider hasinstalled network resources sufficient to provide a full level serviceat the location of STB device 304. In other exemplary embodiments,server system 302 or STB device 304 may determine which service level toprovide to STB device 304 based on the quality of the communication pathbetween STB device 304 and server system 302. For example, network 306may support a first service level and network 307 may support a secondservice level. If network 306 becomes unavailable, STB communicationmodule 322 may detect this unavailability and, accordingly, provide STBdevice 304 with a second service level through network 307.

As shown, STB device 304 includes interface 324 to network 306 andinterface 325 to network 307. STB device 304 may also include processor326 coupled to interface 324 and memory 328 that is accessible toprocessor 326. STB device 304 may also include remote control interface330 that communicates with remote control device 308 and display deviceinterface 332 that communicates with display device 310. In a particularembodiment, memory 328 includes media content module 334 that isexecutable by processor 326 to receive media content from server system302 (or from another content source) via network 306. Memory 328 mayalso include GUI module 338 that is executable by processor 326 toreceive instructions related to an electronic storefront and to generatea GUI that can be provided to display device 310 that includes one ormore selectable indicators related to purchasable assets that mayinclude transactional content associated with a first or second servicelevel.

In a particular illustrative embodiment, e-store module 320 may beexecuted to select an electronic storefront from a plurality of storedelectronic storefronts based on multimedia content available to STBdevice 304. In another particular illustrative embodiment, e-storemodule 320 can be executed to generate the electronic storefrontdynamically, such that the GUI includes an electronic storefront havinga first selectable element related to a first specified multimedia assetand a second selectable element related to a second specified multimediaasset (both selected based on a received certificate that includes anindication of a hardware identification code associated with arequesting device). The GUI can also include multiple payment optionsthat are related to a first selectable element and a second selectableelement. In a particular illustrative embodiment, the multiple paymentoptions can include an electronic coupon payment option, account billingoption to bill a subscriber account associated with the destinationdevice (i.e., the STB device), a credit card option, a debit cardoption, other payment options, or any combination thereof.

If a user selects transactional content for viewing, STB device 304sends a request to server system 302 requesting specified transactionalmultimedia content (e.g., a VOD movie). The request may include anidentifier related to the media content, a hardware identifierassociated with STB device 304, a subscriber account identifier, anelectronic storefront identifier, other information, or any combinationthereof. In accordance with some disclosed embodiments, the request mayinclude or be preceded by a certificate that includes an indication ofhardware identification code 345.

In some embodiments, STB device 304 receives data related to anelectronic storefront based on the request, and provides a userinterface to display device 310 that includes the electronic storefront.The electronic storefront includes one or more selectable indicatorsrelated to available transactional multimedia assets. The electronicstorefront also includes one or more payment options for purchasingselected assets if a charge is associated with the asset. STB device 304receives a selection of at least one indicator and a selected paymentoption and sends data related to the selection and the selected paymentoption to server system 302 to complete a purchase transaction.

FIG. 4 illustrates elements of an embodied method 400 for identitymanagement for distributing transactional content. As shown, a requestis received (block 401) from a client device to access multimediacontent. For example, a client device may request transactional content(e.g., a VOD movie). A determination may be made (block 402) whether therequest was transmitted over a private network or public IP network. Ifthe request was received over a private network, the client device maybe granted access to first level content such as live high-definitiontelevision. Granting the client access may also be conditional uponauthenticating a certificate received from the client device. In suchembodiments, if the certificate received from the client device isassociated with an account authorized to receive first level content,then the client is granted access (block 408).

If the request is not received over a private network (block 404), acertificate associated with the client device is received (block 406)and compared (block 410) to authorized certificates. The certificateincludes an indication of a hardware identifier for the client devicefrom which the request was made. If the client device is an authorizeddevice (block 412), a client is granted access (block 414) to secondlevel content such as transactional content (e.g., a VOD movie). If theclient is not an authorized client (block 412), then the client isrejected (block 416).

FIG. 5 illustrates a block diagram with selected elements of MHD 525. Asshown, MHD 525 can be a functional component of CPE 522 along withgateway (GW) 523 and display 526, independent of any physicalimplementation. In particular, it is noted that CPE 522 may be anycombination of GW 523, MHD 525 and display 526. It is further noted thatelements of MHD 525 may be included within the analogous elements ofsystem 100 and system 200 illustrated in FIGS. 1 and 2, respectively.

In the embodiment depicted in FIG. 5, MEM 525 includes processor 501coupled via shared bus 502 to storage media collectively identified asstorage 510. MHD 525 further includes network adapter 520 thatinterfaces MHD 525 to LAN 524 and through which MHD 525 receivesmultimedia content 560. GW 523 is shown providing a bridge betweenaccess network 530 and LAN 524, and receiving multimedia content 560from access network 530.

In embodiments suitable for use in IP based content delivery networks,MHD 525, as depicted in FIG. 5, may include transport unit 531 thatassembles the payloads from a sequence or set of network packets into astream of multimedia content. In coaxial based access networks, contentmay be delivered as a stream that is not packet based and it may not benecessary in these embodiments to include transport unit 530. In aco-axial implementation, however, clients, such as CPE 522, may requiretuning resources (not explicitly depicted in FIG. 5) to “filter” desiredcontent from other content that is delivered over the coaxial mediumsimultaneously and these tuners may be provided in MHDs 525. The streamof multimedia content received by transport unit 530 may include audioinformation and video information and transport unit 530 may parse orsegregate the two to generate video stream 532 and audio stream 534 asshown.

Video and audio streams 532 and 534, as output from transport unit 530,may include audio or video information that is compressed, encrypted, orboth. A decoder unit 540 is shown as receiving video and audio streams532 and 534 and generating native format video and audio streams 542 and544. Decoder 540 may employ any of various widely distributed videodecoding algorithms including any of the Motion Pictures Expert Group(MPEG) standards or Windows Media Video (WMV) standards, as examples.Similarly decoder 540 may employ any of various audio decodingalgorithms including Dolby® Digital, Digital Theatre System (DTS)Coherent Acoustics, and Windows Media Audio (WMA).

The native format video and audio streams 542 and 544 as shown in FIG. 5may be processed by encoders/digital-to-analog converters(encoders/DACs) 550 and 570 respectively to produce analog video andaudio signals 552 and 554 in a format compliant with display 526, whichitself may not be a part of MHD 525. Display 526 may comply withNational Television System Committee (NTSC), Phase Alternating Line(PAL) or any other suitable television standard.

Storage 510 is operable to store instructions, data, or both. Storage510 may include any combination, for example, of persistent media,volatile media, fixed media, removable media, magnetic media, andsemiconductor media. Storage 510 as shown may include sets or sequencesof instructions, namely, an operating system 512, a remote control (RC)application program identified as RC module 514, an electronicprogramming guide (EPG) 516, and viewing control 515. Operating system512 may be a UNIX or UNIX-like operating system, a Windows® familyoperating system, or another suitable operating system.

EPG 516 represents a guide to the multimedia content provided to CPE 522via MCDN system 200 (see FIG. 2), and may be shown to the user as anelement of the user interface. The user interface may include aplurality of menu items arranged according to one or more menu layouts,which enable a user to operate MHD 525. The user may operate the userinterface, including EPG 516, using a remote control such as 308 (FIG.3) in conjunction with RC module 514.

As shown, hardware ID 513 is a hardware identification code unique toMHD 525. Accordingly, hardware ID 513 or an indication of hardware ID513 may be included in certificate sent to access network 530 toauthenticate hardware ID 513 and establish whether MHD 525 is entitledto receive a first or second service level, for example. In someembodiments, a bootstrap server (not depicted) communicatively coupledto or within access network 530 compares hardware ID 513 to a list ofcertificates for authorized client devices. In some embodiments, ifhardware ID 513 is associated with a second service level, MHD 525 isdirected by the bootstrap server or other network device to atransactional multimedia content server. MHD 525 may then issue arequest for certain transactional content (e.g., a VOD movie). Ifhardware ID 513 is associated with a permission level that may receivethe specified transaction content, MHD 525 is granted access to thespecified transactional content. In some embodiments, access is grantedto receive the specified content over an IP network (e.g., theInternet). If, when comparing hardware ID 513 to authorized hardwarecodes, it is determined that hardware ID 513 is associated with a firstservice level, the bootstrap server or other network device may directMHD 525 to a live multimedia content server, for example, to receivefirst level service that may include live content or other content thatis unavailable with the second service level. In some embodiments, MHD525 may receive first service level content over a private networkincluding an MCDN. However, if the MCDN is unavailable to MHD 525, thenMHD 525 may receive second service level content (e.g., transactionalcontent such as VOD movies) over a public IP network. In this way, MHD525 may receive an alternate level of service when one or more portionsof the MCDN are unavailable.

If MEM 525 receives transactional content, the content may be streamedand simultaneously displayed on display 526 or may be downloaded tostorage 510 for later play. In some embodiments of MHD 525, hardware ID513 may be substantially irreplaceably embedded within a portion ofstorage 510. For example without limitation, hardware ID 513 may beembedded in read-only memory that is permanently affixed to MHD 525 in away that prevents hackers from accessing hardware ID 513 and using thehardware ID in an unauthorized machine.

In some embodiments, an indication of hardware ID 513 may be included inan X.509 certificate issued by a certification authority and used by MHD525 to verify its identity and authorization level when requestingmultimedia content. To obtain an X.509 certificate, MHD 525 may requestthe certificate from the certification authority and include anindication of hardware ID 513 in the request. An indication of hardwareID 513 may then be included in the certificate issued by thecertification authority as the serial number or unique identifier forthe X.509 certificate, as examples.

To the maximum extent allowed by law, the scope of the presentdisclosure is to be determined by the broadest permissibleinterpretation of the following claims and their equivalents, and shallnot be restricted or limited to the specific embodiments described inthe foregoing detailed description.

1. A method, comprising: determining, by a server, whether requestedcontent is a live video or a video on demand; in response to therequested content being a live video, determining, by the server, afirst network for delivering the requested content to a device; inresponse to the requested content being a video on demand, determining,by the server, a second network for delivering the requested content tothe device, wherein the second network is different from the firstnetwork; and sending, by the server, the requested content to the devicevia one of the first network or the second network based on whether therequested content is a live video or a video on demand.
 2. The method ofclaim 1, further comprising determining a network address thatcorresponds to the device.
 3. The method of claim 1, further comprisingdetermining a network address that corresponds to the first network. 4.The method of claim 1, further comprising determining a network addressthat corresponds to the second network.
 5. The method of claim 1,further comprising retrieving a network address that corresponds to acontent server.
 6. The method of claim 1, further comprising retrievinga network address that corresponds to a content server storing the livevideo.
 7. The method of claim 1, further comprising retrieving a networkaddress that corresponds to a content server storing the video ondemand.
 8. A first device, comprising: a hardware processor; and amemory device, the memory device storing instructions, the instructionswhen executed causing the hardware processor to perform operations, theoperations comprising: determining whether requested content is a livevideo or a video on demand; determining a first network for deliveringthe requested content to a second device in response to the requestedcontent being a live video; determining a second network for deliveringthe requested to the second device in response to the requested contentbeing a video on demand, wherein the second network is different fromthe first network; and sending the requested content to the seconddevice via one of the first network and the second network based onwhether the requested content is a live video or a video on demand. 9.The first device of claim 8, wherein the operations further comprisedetermining a network address that corresponds to the second device. 10.The first device of claim 8, wherein the operations further comprisedetermining a network address that corresponds to the first network. 11.The first device of claim 8, wherein the operations further comprisedetermining a network address that corresponds to the second network.12. The first device of claim 8, wherein the operations further compriseretrieving a network address that corresponds to a content server. 13.The first device of claim 8, wherein the operations further compriseretrieving a network address that corresponds to a content serverstoring the live video.
 14. The first device of claim 8, wherein theoperations further comprise retrieving a network address thatcorresponds to a content server storing the video on demand.
 15. Thefirst device of claim 8, wherein the operations further compriseretrieving a network address that corresponds to at least one of acontent server storing the live video and a different content serverstoring the video on demand.
 16. A computer readable medium storingprocessor-executable instructions that when executed cause a hardwareprocessor to perform operations, the operations comprising: determiningwhether requested content is a live video or a video on demand;determining a first network for delivering the requested content to adevice in response to the requested content being a live video;determining a second network for delivering the requested content to thedevice in response to the requested content being a video on demand,wherein the second network is different from the first network; andsending the requested content to the device via one of the first networkand the second network based on whether the requested content is a livevideo or a video on demand.
 17. The computer readable medium of claim16, wherein the operations further comprise determining a networkaddress that corresponds to the device.
 18. The computer readable mediumof claim 16, wherein the operations further comprise determining anetwork address that corresponds to the first network.
 19. The computerreadable medium of claim 16, wherein the operations further comprisedetermining a network address that corresponds to the second network.20. The computer readable medium of claim 16, wherein the operationsfurther comprise retrieving a network address that corresponds to acontent server.